Authenticating a web server

[Amit Sharma <amit.sharma () linuxwaves com>]

Hi list,

Was wondering what are the various ways for authenticating a web server. By this, I mean, how do I know if I am talking 
to the rite server and not any phony website?

Option # 1
To my understanding, we can verifying the identity of the server if it has a a certificate seal on its website. 
Something similar to what is issued by verisign. But then, to me, it doesn't look like a full proof solution since the 
security logo that verisign provides and provides links to, can also be made phony. Do verisign people patrol for phony 
logos of their security seal?


Option # 2
How about storing the header ( HTTP/HTTPS ) information of the web server such as the web server version and other 
specific details which do not change quite often for authenticating purpose. This can be used to cross check with the 
header info. of a phony website claiming to be the original one. Typically, attackers building phony websites just 
duplicate the look and feel of the original website without actually bothering about modifying the header information 
as well. 

am sure there must be better ways for authenticating a web server. Would like to have some expert comments from Web 
Application Security gurus.

Gracias,
Amit

---
Whoops! There are still thousands of nuclear weapons in the world